EU’s GDPR breakdown: What all brands need to know
The General Data Protection Regulation (GDPR) will completely change the way that organizations collect, store, and utilize data for their customers and prospects. With new regulations set to roll out in just a few short weeks, it is essential that all companies that store consumer data have an understanding of what it means for their business. The GDPR will not only affect online advertisers, but all brands who collect customer data within the limits of the European Union.
What is General Data Protection Regulation (GDPR)?
The GDPR is legislation that was passed by the European Union (EU) Parliament that regulates the way that companies can store and utilize customer data. The legislation includes the controversial “right to be forgotten” provision that allows users to request the removal of their personal data from company and public records.
While the GDPR is EU regulation, it will also apply to all companies that process and hold data from customers located in the EU as well. In the U.S., the GDPR and its implications have flown under the radar. Although many expect the U.S. to follow suit sometime in the next few years with their own customer data and privacy legislation it is important that they take notice and take the proper steps to ensure that they comply with the GDPR. The fines for non-compliance are steep — organizations found to be in breach of GDPR regulations will be fined up to 4 percent of annual global turnover, or €20 Million, whichever is greater.
The goal of the GDPR is to return full control of personal data to customers and citizens and place common sense limits on the way that data can be used. The legislation covers all types of personal information including name, address, bank details, email address, social networking information, medical info, and even photos and other personal rich media.
When does the GDPR go into effect?
The GDPR was passed by the European Parliament in April 2016, and companies were given over two years to prepare for the new regulations. The regulations will start being enforced on May 25th, 2018, applying to all EU citizens in the 28 states that belong to the European Union. Although the UK is scheduled to leave the European Union in 2019 due to Brexit, they have already announced that they will continue to adopt and implement the GDPR regulations on their own.
Why was the GDPR passed?
The GDPR was passed due to concerns over how companies have stored and utilized personal data. Although there was existing legislation in place before the passing of the GDPR, many of those laws were decades old and did not take into account how the internet would change personal data collection. This, plus the rise in cloud technology have made the processing, collection, and sharing of data much more commonplace for all companies, prompted the EU to take steps to strengthen current laws to account for these changes. Before passing the legislation, the EU released an overview of their reasoning behind the legislation.
Changes in data storage and uses
The GDPR represents huge changes for any company that stores customer data from citizens in EU states. Generally, data will be harder for companies to access and store, as there are many stipulations surrounding how that data can be used.
While the GDPR will affect all companies that store EU citizen data, it will particularly disrupt current processes for online advertisers who will be subjected to much stricter rules regarding how they track customers on the web. In addition to changes brought by the GDPR, the EU Parliament has already announced their intention to update EU ePrivacy regulations, which will focus on unsolicited marketing messaging, cookies, and confidentiality as it applies specifically to internet advertising.
One major change that online advertisers can expect is a change to the opt-in process for tracking users. As it stands now, internet browsers default to allowing tracking with users who do not want to be tracked having to opt out. These new regulations will require that users opt-in to tracking, with internet browsers no longer being allowed to opt users in by default.
Some of the more prominent pieces of the GDPR legislation include:
- Simplified consent for consumers. One argument was that consumers who were opted into tracking by default were not even aware that their information was being tracked. Under the GDPR, consent must be easily understood and clearly written for the user. Additionally, users must be provided with a way to reverse consent.
- Required notification of breaches. Any data breach that is deemed likely to result in risk for the rights of individuals must be reported to those individuals within 72 hours of discovery of the breach.
- Improved consumer data rights. The GDPR requires that data subjects have the ability to request copies of their information or move data from one service provider to another at their request. Additionally, the legislation grants consumers the “right to be forgotten” and request that companies delete their data.
- Improved systems. Companies are required to comply with the “privacy by design” regulations in the GDPR, which requires that companies build processes with data protection in mind rather than adding them to existing systems as an afterthought.
- Improved privacy protections for children. Parental consent is required for the collection of data for children up to the age of 16.
Although the GDPR does not apply to users worldwide, it has prompted several companies to change their policies across the board. Google, for instance, has announced that they will be rolling out worldwide changes inspired by the regulation. However, not all companies are following suit. Although Facebook CEO Mark Zuckerberg announced that they would be rolling out GDPR inspired changes in other localities, the actual implementation of those changes is much less sweeping than the announcement would lead you to believe. The rate of worldwide adoption for these policies is currently mixed and it will be interesting to see whether the GDPR serves as a basis for legislation in other areas of the world.
If one thing is certain after the passing of the GDPR, it’s that we are moving toward an era where consumers have more control over and care more about their personal data and how it is used. They will have power over their collected data in a way that we have never seen before. While there are some that say that this spells doom for internet advertisers and digital-first brands, it remains to be seen how significantly the GDPR and similar legislation will change business processes.
A New Future
While the GDPR does require some pretty important changes for digital advertisers, it does not spell the end for digital advertising. The regulation is focused on catching current standards up to the internet age and empowering customers who want to opt-in for higher levels of privacy. In the end, these changes could result in healthier relationships between customers and brands but do pose a serious short-term problem for digital-first technology companies.
With the recent controversy surrounding Cambridge Analytica breaking Facebook’s terms of service to access personal data for millions of users, the GDPR implementation seems timely.
It remains to be seen how big of an impact the GDPR will have on companies both in the EU and worldwide, but it does signal a seismic shift in the handling of consumer data. Privacy is a primary concern for governments and citizens around the world, and the GDPR is just the first of what will likely be many similar legislative acts to regulate digital data and give customers power of their information.
Need user experience design? Contact us.
About Rave Media
Rave Media helps businesses reach and engage their customers through digital products and platforms.
We are a team of Silicon Valley veterans with deep technology and creative design backgrounds that take you from idea to innovation and beyond.
Our passion is for building digital brands, products, and apps that excite users and grow businesses.